Mechanism for efficient private bulk messaging

ABSTRACT

Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient&#39;s public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient&#39;s public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient&#39;s private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

[0001] This application claims priority to U.S. Provisional ApplicationSer. No. 60/184,785, filed Feb. 24, 2000, Attorney Docket No.DIFF-01005US0, which is co-pending and incorporated by reference herein.

BACKGROUND

[0002] 1. Field of the Invention

[0003] The invention relates to secure transmission of documents, andmore particularly, to transmission of documents to a large number ofrecipients, securely and efficiently.

[0004] 2. Description of Related Art

[0005] The Internet and corporate networks have made the transmission ofdocuments and messages via e-mail commonplace. Bulk messaging has alsobecome commonplace, such as for advertising and promotional purposes.For bulk messaging, typically a user on one computer composes a messageand addresses it to an e-mail group. The message is transmitted to aserver, which substitutes the individual addresses of all the targetrecipients in the group, which may number in the thousands, andtransmits the message individually to each target recipient.

[0006] Unlike advertising and promotional uses, many businesses requirethat their communications take place securely. When messages are to betransmitted across an insecure network, such as the Internet, securityis typically accomplished by encrypting the message in a manner that canbe decrypted only with knowledge of a decryption key. Since only theintended recipient is expected to have the decryption key, only thatrecipient will be able to open the message and view its contents.Encryption may be performed using a symmetrical encryption algorithm, inwhich the encryption key matches the decryption key, or by an asymmetricalgorithm, in which the encryption key is different from the decryptionkey. One popular form of asymmetric encryption is public/private keyencryption, described in “Public-key Cryptography Standards,” RSA DataSecurity, Inc. (1991), and in Rivest U.S. Pat. No. 4,405,829, bothincorporated by reference herein.

[0007] According to the public/private key crypto system, each targetrecipient has both a private key that only the recipient knows, and apublic key that is publicly available. When a sender desires to send amessage securely to one of the target recipients, the sender encryptsthe message using the target recipient's public key. Only the targetrecipient then is able to open the message and view its contents.

[0008] Secure messaging becomes problematical when the sender desires tosend the message to a large number of target recipients. If apublic/private key cryptosystem is to be used, then the sender mustencrypt the message N times, once using the public key of each of the Ntarget recipients, and then send the message separately to each of thetarget recipients. If the document to be transmitted is large, and/or ifN is in the thousands, this can be a formidable task. The encryptionpart of the task can be minimized if all of the target recipients sharea single decryption key, because then the sender need encrypt themessage only once. But the need for all recipients to have thedecryption key poses risks both in the transmission and in the storageof the key. This solution also does not overcome the need for the senderto transmit the message separately, once to each of the N targetrecipients.

[0009] Accordingly, there is a need for a more efficient mechanism forsecure bulk transmission of messages.

SUMMARY OF THE INVENTION

[0010] According to the invention, roughly described, a sender firstencrypts the message once. The message can be decrypted with a messagedecryption key. These can be symmetric or asymmetric keys. For eachrecipient, the sender then encrypts the message decryption key with therecipient's public key. The sender then sends the encrypted message andthe encrypted message decryption keys to a store-and-forward server.Subsequently, one or more recipients connect to the server and retrievethe encrypted message and the message encryption key that has beenencrypted with the recipient's public key. Alternatively, the server canforward these items to each individual recipient. The recipient thendecrypts the encrypted message decryption key with the recipient'sprivate key, resulting in an un-encrypted message decryption key. Therecipient then decrypts the message using the un-encrypted messagedecryption key.

BRIEF DESCRIPTION OF THE DRAWINGS

[0011] The invention will be described with respect to particularembodiments thereof, and reference will be made to the drawings, inwhich:

[0012]FIG. 1 is a block diagram of a system incorporating the invention.

[0013]FIG. 2 is a flowchart of basic steps undertaken by a sender intransmitting a secure bulk message using the arrangement of FIG. 1.

[0014]FIG. 3 is a flowchart illustrating the process undertaken by arecipient to retrieve and open the message.

[0015]FIG. 4 illustrates a format by which an encrypted message and theencrypted decryption keys are stored on the server of FIG. 1.

DETAILED DESCRIPTION

[0016]FIG. 1 is a block diagram of a system incorporating the invention.It comprises a sender 110, which sends the encrypted message andencrypted message decryption keys to a server 112, which can then beaccessed by each of N target recipients 114-1, 114-2, 114-3, . . . 114-N(collectively, target recipients 114). One or more of the transmissionpaths from the sender 110 to the server 112 or from the server 112 tothe recipients 114 are potentially insecure. As used herein, the term“message” is intended to be read broadly to include all kinds ofinformation that might be transmitted, such as e-mail messages,documents, financial transactions, and so on. Also as used herein, theserver 112 need not be limited to a single computer. It can includemultiple computers which need not even be located physically together.

[0017]FIG. 2 is a flowchart of the basic steps undertaken by the senderin transmitting a secure bulk message using the arrangement of FIG. 1.In step 210, the sender first creates the message to be sent. In step212, the sender encrypts the message. As mentioned, encryption at thisstage can be either by a symmetric or an asymmetric encryptionalgorithm. Although there are many examples of acceptable encryptionalgorithms, one common symmetric algorithm is that described in NationalInstitutes of Standards and Technology, “Data Encryption Standard”, FIPSPublication No. 46-1 (January 1988) (hereinafter “DES”), incorporated byreference herein. The encryption process in step 212 can be reversedusing a message decryption key known by the sender.

[0018] In step 214, the sender encrypts the message decryption key Ntimes—once using the public key of each of the N target recipients. Thisyields N encrypted message decryption keys. In step 216, the sendersends the encrypted message, the addresses of the target recipients, andthe list of encrypted message decryption keys to the server 112. It willbe appreciated that one of the target recipients could be a third-partymonitor, such as a government agency that is permitted to view themessage if required by law.

[0019] Optionally, the sender can also send to the server 112 (or theserver itself generate) a digital signature protecting all of theencrypted decryption keys associated with a particular encryptedmessage. The list of encrypted decryption keys thereafter cannot betampered with without being detectable by reference to the digitalsignature. A digital signature is created by digesting the list, orsignificant portions of the list, using a well-known digestingalgorithm, and then encrypting the digest with the sender's (orserver's) private key of a public/private pair. In order to check fortampering, an auditor repeats the digesting of the list of encrypteddecryption keys, to form a new digest, and then decrypts the digitalsignature using the sender's (or the server's) public key, to recoverthe original digest, and then compares the two for equality. Asatisfactory digesting algorithm is that describe in R. Rivest, “MD5Message-Digest Algorithm”, Internet Engineering Task Force RFC No. 1321(April 1992), incorporated by reference herein.

[0020] On the server 112, the encrypted message and the encrypteddecryption keys are stored as illustrated in FIG. 4. The encryptedmessage is stored at 410. In conjunction with the encrypted message 410,the server stores each of the encrypted decryption keys 412-1, 412-2, .. . , 412-N. One of the encrypted decryption keys can, as mentionedabove, optionally be a monitor's decryption key 414. Optionally alsostored in conjunction with the encrypted message 410, is a digitalsignature 416 protecting the list of encrypted decryption keys. Theelements illustrated in FIG. 4 may be stored all in one contiguousregion of computer-readable memory, or across discontiguous regions, oracross discontiguous regions of multiple computer-readable media.

[0021] In one embodiment, the server maintains a document managementsystem which not only stores multiple encrypted messages and theirassociated encrypted decryption keys, but also provides logical andstructured restricted access to the various items by individual sendersand individual recipients. For example, one such document managementsystem allows senders to change the message stored on the server 112,while not allowing other senders to do so and while not allowing anyrecipient to do so. Another such document management system allowssenders to add, delete or change entries in the list of encrypteddecryption keys for messages that were transmitted by the sender, whilenot allowing such modifications by other senders or by any recipient.Yet another such document management system, when accessed by aparticular recipient, shows the recipient only those messages on whichthe particular recipient is identified as a target recipient, hiding anymessages for which there is no encrypted decryption key for theparticular recipient.

[0022]FIG. 3 is a flowchart illustrating the process undertaken by arecipient to retrieve and open the message. In step 310, the recipientaccesses the server 112, and in step 312, the recipient downloads theencrypted message and at least the particular recipient's encryptedmessage decryption key 412. Alternatively, the server 112 can forwardthese items to the recipient without awaiting action from the recipient.In step 314, the particular recipient decrypts the recipient's encryptedmessage decryption key, yielding an unencrypted message decryption key.In step 316, the recipient decrypts and views the encrypted messageusing the now-unencrypted message decryption key.

[0023] It will be appreciated that the above-described mechanism iscapable of many variations. As one example, in step 216, the sending ofthe encrypted message and list of encrypted message decryption keys neednot take place in a single transmission. Some of all of the encryptedmessage decryption keys can be sent earlier or later than the encryptedmessage.

[0024] As another example, encrypted decryption keys could be bundledinto the message and the single message with the encrypted decryptionkeys could be broadcast to all recipients without compromising thesecurity of the mechanism.

[0025] As yet another example, public and private keys for encryptingthe decryption keys could be replaced with symmetric private keyswithout affecting the security or efficiency of the mechanism.

[0026] As still another example, server 112 could be eliminated and themessage with the encrypted decryption keys could be broadcast to allrecipients and any other listeners, and only the target recipients willbe able to decrypt the message and the security of the mechanism is notcompromised.

[0027] As yet another example, for one or more of the target recipients,the sender can multiply encrypt the recipient's message decryption key,thereby requiring multiple entities to be involved in the decryption ofthe message decryption key. For example, the sender may first encryptthe message decryption key with the target recipient's public key,yielding a “partially-encrypted” message decryption key. The sender maythen re-encrypt the partially-encrypted message decryption key, usingthe public key of an authorizer, thus yielding the final encryptedmessage decryption key. Upon receipt of the message, the recipient firsthas the encrypted decryption key decrypted by the authorizer, using theauthorizer's private key. This recovers the partially-encrypted messagedecryption key. The recipient then decrypts the partially-encryptedmessage decryption key, using the recipient's private key, thus yieldingthe un-encrypted message decryption key. Alternatively, the order ofencryption for the multiple parties can be reversed, as long as thedecryption sequence takes place in the same order as the encryptionsequence.

[0028] The foregoing description of preferred embodiments of the presentinvention has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Obviously, many modificationsand variations will be apparent to practitioners skilled in this art. Inparticular, and without limitation, any and all variations described,suggested or incorporated by reference in the Background section of thispatent application are specifically incorporated by reference into thedescription herein of embodiments of the invention. The embodimentsdescribed herein were chosen and described in order to best explain theprinciples of the invention and its practical application, therebyenabling others skilled in the art to understand the invention forvarious embodiments and with various modifications as are suited to theparticular use contemplated. It is intended that the scope of theinvention be defined by the following claims and their equivalents.

1. A method for transmitting a message, comprising the steps ofencrypting said message to develop an encrypted message, said encryptedmessage being decryptable using a first decryption key; encrypting saidfirst decryption key with encryption keys of a plurality of targetrecipients, to develop a plurality of encrypted decryption keys; andtransmitting said encrypted message and said encrypted decryption keysto said target recipients.
 2. A method according to claim 1 , whereinsaid step of encrypting said message comprises the step of encryptingsaid message with a symmetric encryption algorithm.
 3. A methodaccording to claim 1 , wherein said step of encrypting said messagecomprises the step of encrypting said message with an asymmetricencryption algorithm.
 4. A method according to claim 1 , wherein saidstep of encrypting said first decryption key, with respect to a firstone of said target recipients, comprises the step of encrypting saidfirst decryption key with a symmetric encryption algorithm.
 5. A methodaccording to claim 1 , wherein said step of encrypting said firstdecryption key, with respect to a first one of said target recipients,comprises the step of encrypting said first decryption key with anasymmetric encryption algorithm.
 6. A method according to claim 1 ,wherein said step of encrypting said first decryption key, with respectto a first one of said target recipients, comprises the steps of:encrypting said decryption key with a key of an additional party, todevelop a partially encrypted decryption key; and encrypting saidpartially encrypted decryption key with the key of said first targetrecipient.
 7. A method according to claim 1 , wherein said step oftransmitting comprises the step of broadcasting said encrypted messageand said encrypted decryption keys to a plurality of listeners, not allof which are members of said plurality of target recipients.
 8. A methodaccording to claim 1 , wherein said step of transmitting comprises thesteps of: sending said encrypted message to a server; and said serverforwarding said encrypted message to each of said target recipients. 9.A method according to claim 8 , wherein said step of transmittingfurther comprises the step of sending said encrypted decryption keys toone of said target recipients bypassing said server.
 10. A methodaccording to claim 8 , wherein said step of transmitting furthercomprises the step of sending said encrypted decryption keys to saidserver.
 11. A method according to claim 10 , further comprising the stepof sending to said server an additional encrypted decryption key,encrypted with a key of an additional target recipient, after said stepof sending said encrypted decryption keys to said server.
 12. A methodaccording to claim 10 , further comprising the step of deleting orchanging one of said encrypted decryption keys on said server after saidstep of sending said encrypted decryption keys to said server.
 13. Amethod according to claim 10 , further comprising the step of sending tosaid server a digital signature covering at least one of said encrypteddecryption keys.
 14. A method according to claim 10 , further comprisingthe step of sending to said server a digital signature covering all ofsaid encrypted decryption keys.
 15. A method for receiving a message,comprising the steps of: receiving an encrypted message, said encryptedmessage being decryptable using a first decryption key; receiving inconjunction with said encrypted message a plurality of encrypteddecryption keys for said encrypted message; decrypting a particular oneof said encrypted decryption keys to recover said first decryption key;and decrypting said encrypted message using said first decryption key.16. A method according to claim 15 , wherein said step of decrypting aparticular encrypted decryption key comprises the steps of: decryptingsaid encrypted decryption key with a key of a first party, to develop apartially decrypted decryption key; and decrypting said partiallydecrypted decryption key with a key of a second party.
 17. A methodaccording to claim 15 , wherein said step of receiving an encryptedmessage comprises the step of receiving said encrypted message from aserver.
 18. A method according to claim 17 , wherein said step ofreceiving a plurality of encrypted decryption keys comprises the step ofreceiving said plurality of encrypted decryption keys bypassing saidserver.
 19. A method according to claim 17 , wherein said step ofreceiving a plurality of encrypted decryption keys comprises the step ofaccessing said server, said plurality of encrypted decryption keys beingstored on said server.
 20. A method according to claim 17 , wherein saidstep of receiving a plurality of encrypted decryption keys comprises thestep of a user accessing said server, said plurality of encrypteddecryption keys being stored on said server in conjunction with saidencrypted message, said server permitting access to only those messagesstored thereon for which said user is a target recipient.
 21. A methodaccording to claim 15 , further comprising the step of downloading saidencrypted message from said server prior to said step of decrypting saidencrypted message using said first decryption key.
 22. Apparatusincluding at least one computer readable storage medium, said apparatuscarrying data comprising: an encrypted message, said encrypted messagebeing decryptable using a first decryption key; and a plurality ofencrypted decryption keys stored in conjunction with said encryptedmessage, each of said encrypted decryption keys including said firstdecryption key encrypted with an encryption key of a respective targetrecipient of said message.
 23. Apparatus according to claim 22 , whereinone of said target recipients is a monitor.
 24. Apparatus according toclaim 22 , wherein said data further comprises a digital signatureprotecting at least a portion of said encrypted decryption keys.